feat(audit): Apply TreatWarningsAsErrors=true to 160+ production csproj files

Sprint: SPRINT_20251229_049_BE_csproj_audit_maint_tests
Tasks: AUDIT-0001 through AUDIT-0147 APPLY tasks (approved decisions 1-9)

Changes:
- Set TreatWarningsAsErrors=true for all production .NET projects
- Fixed nullable warnings in Scanner.EntryTrace, Scanner.Evidence,
  Scheduler.Worker, Concelier connectors, and other modules
- Injected TimeProvider/IGuidProvider for deterministic time/ID generation
- Added path traversal validation in AirGap.Bundle
- Fixed NULL handling in various cursor classes
- Third-party GostCryptography retains TreatWarningsAsErrors=false (preserves original)
- Test projects excluded per user decision (rejected decision 10)

Note: All 17 ACSC connector tests pass after snapshot fixture sync

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/Internal/OracleCursor.cs

@@ -23,8 +23,8 @@ internal sealed record OracleCursor(
     {
         var document = new DocumentObject
         {
-            ["pendingDocuments"] = new DocumentArray(PendingDocuments.Select(id => id.ToString())),
-            ["pendingMappings"] = new DocumentArray(PendingMappings.Select(id => id.ToString())),
+            ["pendingDocuments"] = new DocumentArray(PendingDocuments.OrderBy(id => id).Select(id => id.ToString())),
+            ["pendingMappings"] = new DocumentArray(PendingMappings.OrderBy(id => id).Select(id => id.ToString())),
         };
 
         if (LastProcessed.HasValue)
@@ -35,7 +35,7 @@ internal sealed record OracleCursor(
         if (FetchCache.Count > 0)
         {
             var cacheDocument = new DocumentObject();
-            foreach (var (key, entry) in FetchCache)
+            foreach (var (key, entry) in FetchCache.OrderBy(kvp => kvp.Key, StringComparer.Ordinal))
             {
                 cacheDocument[key] = entry.ToDocumentObject();
             }

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/OracleConnector.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text;
 using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
@@ -15,6 +16,7 @@ using StellaOps.Concelier.Storage;
 using StellaOps.Concelier.Storage.Advisories;
 using StellaOps.Concelier.Storage.Contracts;
 using StellaOps.Concelier.Storage.PsirtFlags;
+using StellaOps.Cryptography;
 using StellaOps.Plugin;
 
 namespace StellaOps.Concelier.Connector.Vndr.Oracle;
@@ -35,6 +37,7 @@ public sealed class OracleConnector : IFeedConnector
     private readonly IPsirtFlagStore _psirtFlagStore;
     private readonly ISourceStateRepository _stateRepository;
     private readonly OracleCalendarFetcher _calendarFetcher;
+    private readonly ICryptoHash _hash;
     private readonly OracleOptions _options;
     private readonly TimeProvider _timeProvider;
     private readonly ILogger<OracleConnector> _logger;
@@ -48,6 +51,7 @@ public sealed class OracleConnector : IFeedConnector
         IPsirtFlagStore psirtFlagStore,
         ISourceStateRepository stateRepository,
         OracleCalendarFetcher calendarFetcher,
+        ICryptoHash hash,
         IOptions<OracleOptions> options,
         TimeProvider? timeProvider,
         ILogger<OracleConnector> logger)
@@ -60,6 +64,7 @@ public sealed class OracleConnector : IFeedConnector
         _psirtFlagStore = psirtFlagStore ?? throw new ArgumentNullException(nameof(psirtFlagStore));
         _stateRepository = stateRepository ?? throw new ArgumentNullException(nameof(stateRepository));
         _calendarFetcher = calendarFetcher ?? throw new ArgumentNullException(nameof(calendarFetcher));
+        _hash = hash ?? throw new ArgumentNullException(nameof(hash));
         _options = (options ?? throw new ArgumentNullException(nameof(options))).Value ?? throw new ArgumentNullException(nameof(options));
         _options.Validate();
         _timeProvider = timeProvider ?? TimeProvider.System;
@@ -68,6 +73,16 @@ public sealed class OracleConnector : IFeedConnector
 
     public string SourceName => VndrOracleConnectorPlugin.SourceName;
 
+    /// <summary>
+    /// Computes a deterministic GUID from the source namespace and identifier using SHA-256.
+    /// </summary>
+    private Guid ComputeDeterministicId(string identifier, string sourceNamespace)
+    {
+        var input = Encoding.UTF8.GetBytes($"{sourceNamespace}:{identifier}");
+        var hashBytes = _hash.ComputeHash(input, HashAlgorithms.Sha256);
+        return new Guid(hashBytes[..16]);
+    }
+
     public async Task FetchAsync(IServiceProvider services, CancellationToken cancellationToken)
     {
         var cursor = await GetCursorAsync(cancellationToken).ConfigureAwait(false);
@@ -227,7 +242,7 @@ public sealed class OracleConnector : IFeedConnector
 
             var existingDto = await _dtoStore.FindByDocumentIdAsync(document.Id, cancellationToken).ConfigureAwait(false);
             var dtoRecord = existingDto is null
-                ? new DtoRecord(Guid.NewGuid(), document.Id, SourceName, "oracle.advisory.v1", payload, validatedAt)
+                ? new DtoRecord(ComputeDeterministicId(document.Id.ToString(), "oracle/1.0"), document.Id, SourceName, "oracle.advisory.v1", payload, validatedAt)
                 : existingDto with
                 {
                     Payload = payload,

src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/StellaOps.Concelier.Connector.Vndr.Oracle.csproj

@@ -5,9 +5,11 @@
     <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
 
   <ItemGroup>
+    <ProjectReference Include="../../../__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj" />
     <ProjectReference Include="../../../__Libraries/StellaOps.Plugin/StellaOps.Plugin.csproj" />
 
     <ProjectReference Include="../StellaOps.Concelier.Connector.Common/StellaOps.Concelier.Connector.Common.csproj" />